Dear developers, I tested pcre using a fuzzing tool and found an undefined behavior.
I downloaded the source code from svn. svn co svn://vcs.exim.org/pcre2/code/trunk pcre Attachment are two files to reproduce the undefined behavior. First build pcre with clang undefined behavior sanitizer, and then compile pcre_fuzzer.cc using the command shown below: clang++ -g -fsanitize=undefined -c -std=c++11 -I inst/include/ pcre_fuzzer.cc clang++ -g -fsanitize=undefined -Wl,--whole-archive inst/lib/*.a -Wl,-no-whole-archive pcre_fuzzer.o -o pcre_fuzzer Then execute pcre_fuzzer, you'll see the error information reported by ubsan. ./pcre_fuzzer src/pcre2_compile.c:6665:45: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' -- Dingbao Xie
#include <string.h>
#include "pcre2posix.h"
#include <fstream>
#include <vector>
std::vector<uint8_t> FileToVector(const std::string path){
std::ifstream T(path);
return std::vector<uint8_t>((std::istreambuf_iterator<char>(T)),
std::istreambuf_iterator<char>());
}
void LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
if (size < 1) return;
char *str = new char[size+1];
memcpy(str, data, size);
str[size] = 0;
regex_t preg;
if (0 == regcomp(&preg, str, 0)) {
regexec(&preg, str, 0, 0, 0);
regfree(&preg);
}
delete [] str;
}
int main(){
std::vector<uint8_t> test = FileToVector("./ub");
LLVMFuzzerTestOneInput(test.data(), test.size());
return 0;
}
ub
Description: Binary data
-- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
